To comply with section 6.9 - 6.12 of the Academies Financial Handbook, Multi-Academy Trusts (MATs) must be aware of the risk of fraud, theft and irregularity. Cyber security is specifically referenced by the Education & Skills Funding Agency (ESFA) as a concern that must be managed, requiring Trusts to be vigilant and proactive in relation to cyber crime. This blog provides further guidance on your MATs responsibilities for compliance with the Handbook and data protection and related law.
In a recent report of cases handled by the Information Commissioner's Office (ICO) in relation to schools (May 2018 - May 2019), 24 per cent of cases were the result of a security incident e.g. when a school reported or were reported for cyber crime, or fraud-related data breaches. Nationally, there have been well-documented cases where schools have been victims of cyber crime. Back in March 2019, the BBC News reported on the unfortunate case of Bridport School who ended up losing GCSE coursework due to a cyber attack. Around the same time, Schools Week reported about data from the ICO showing that the number of cyber-attacks on schools has risen by 69 per cent in a year. Between July and September 2017, there were 26 such reports. In the same period in 2019, there were 44.
The law is clear that Boards of Governors have the same level of responsibility for protecting schools from cyber crime as a Board of Directors of any company e.g. Facebook, Google, British Airways (some of these not very successfully...). The recent ‘Cyber Security Toolkit for Boards’ from the National Cyber Security Centre (NCSC), specifically highlights ‘Board of Governors’ as those who are accountable for improving and governing cyber security risks to the same degree of importance as they would for other organisational risks, such as with safeguarding, or more recent obligations towards the UK's Data Protection Act 2018.
Five strategic questions for education providers
The ESFA highlights that academy trust audit committees should follow a five step approach as a starting point for considering cyber risks in the trust:
1. Information Held
Does the school have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
Does the school have a clear understanding of cyber threats and vulnerabilities?
3. Risk Management
Is the school proactively managing cyber risks as an integrated facet of broader risk management including scrutiny of security policies, technical activity, user education and testing and monitoring regimes against an agreed risk appetite?
4. Aspects of Risk
Does the school have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response
5. Governance Oversight
Does the school have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
Evidencing Cyber Security Protections for your Audit Committee & Board of Governors
Importantly, the ESFA identifies the requirements for audit committees to demonstrate the ‘quality of evidence underpinning assurances provided by management’ when assessing the risks. This guidance encourages audit committees to assess and gain assurance through the completion of the NCSC’s 10-Steps to Cyber Security. This framework is the starting point for Cyber Essentials certification which is a mandated requirement for all public sector bodies and any organisation wishing to conduct business with the public sector.
Complimentary Tech & Cyber Review - Welcome Back!
Trusts, Boards of Governors, School Leaders and IT Departments are required to evaluate their level of compliance with the 10-Steps to Cyber Security. The NCSC guidance states that your Board of Governors are required to ‘provide direction on cyber security strategy and hold decisions to account’. In order to make informed decisions however, your board must first understand your current cyber security posture, both technically and operationally.
That is why we are welcoming schools back from the summer with a complimentary Tech & Cyber Review delivered by our expert in-house cyber security team. The reviews take the form of an infrastructure vulnerability assessment of your academy (you'll have to pick if you are a MAT!) In simulating a cyber attacker scanning for vulnerabilities from within the school's network and externally facing IP addresses, we will present back to you the identifiable vulnerabilities across the school network and systems that have a likelihood of being compromised. Click below to organise a review with a consultant from 9ine.
Training & Support for Leadership & Board of Governors
Having the right level of training is a key requirement for demonstrating best practice cyber security. Register for our 45 minute webinar on Friday 11th October at 2.00pm. Our webinar, "Cyber Security for School Leadership and Your Governing Body," will discuss the obligations placed upon school leadership and governing bodies to protect your organisation from cyber crime and fraud. The webinar is on-demand so if you cannot make the do not worry, just make sure to register below!